uncovering_cicadafandomcom-20200215-history
Talk:PGP TUTORIAL/@comment-174.22.174.21-20150103173818
Here's a quick guide for windows users who are new to PGP signature verification. This is very important for this puzzle, if you intend to join the solvers this year, you owe it to them to learn this process. Cicada 3301 will always provide a PGP signature to verify the authenticity of their messages. Assume that any message without a signature is fake! 1. Download and install gpg4win: - http://www.gpg4win.org - The UI client for gpg4win is called Kleopatra. Open Kleopatra. 2. Add the MIT keyserver to your list of directory services. - Go to Settings>Configure Kleopatra. - Top of configure window should read "Configuration of directory services" - Click "new" at the top-right corner of the config window. A default server should appear in your list of directory services. - Change server name to 'pgp.mit.edu'. Ensure that "scheme" is set to 'hkp', and make sure that the box under "OpenPGP" is checked. - Change the "server port" value to '11371', if it is not already set. - Click "apply" and "OK" 3. Import the Cicada 3301 PGP certificate to your keychain in Kleopatra. - On the main window in Kleopatra, click the button in the top-right corner labeled "Lookup Certificates on Server". This button has a binocular logo next to it. - This will open a window titled "Certificate Server Certificate Lookup". The key-id for Cicada 3301's certificate is 7A35090F, and we'll need to add the '0x' prefix when searching for this certificate. - In the "Find:" search bar, type '0x7A35090F" and click "search". - Pop-up window should read "Hex-string search - kleopatra", with a warning about some searches requiring a "0x" prefix. Click OK. - Under name, you should now see "Cicada 3301 (845145127)" This is Cicada's PGP key. Highlight the key and click "Import" - Click "OK" on the next pop-up window. You should now have a Cicada 3301 certificate in your keychain. 4. Verify PGP signatures with Kleopatra. - You're now set to verify signatures against Cicada 3301's PGP certificate. Cicada will include a signature with every message, which is used to verify that the message is in fact from Cicada 3301. Here's how to verify a signature using Kleopatra. - Copy the full text of the message to your clipboard. A signed message will start with "-----BEGIN PGP SIGNED MESSAGE-----" and end with "-----END PGP SIGNATURE-----" You must include the header and footer when you copy the message to your clipboard. - At the top-right corner of the main Kleopatra menu, click the button which says "Clipboard". It has a picture of a clipboard next to it. - If you copied the message correctly, you should be able to click "Decrypt/Verify". If you did not copy the message correctly, this option will be greyed out. - Click "Decrypt/Verify" - A window should pop-up which says "Decrypt/Verify Email". It will automatically check the signature in your clipboard against the certificates in your keychain. - If this signature is from Cicada, then the window will read "Clipboard contents --> Clipboard: Signed by Cicada 3301 (845145127)", and this text will be highlighted in green to indicate a good verification. Any other output means that the signature DID NOT ORIGINATE FROM CICADA 3301, and is therefore not a legitimate message from Cicada. If you did all this correctly, you should now be equipped to verify PGP-signed messages which claim to be from Cicada 3301. I recommend testing your setup against messages which are known to be from Cicada 3301. Here is a sample message which you can use, actually the first PGP-signed message that Cicada gave us in 2012: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - From here on out, we will cryptographically sign all messages with this key. It is available on the mit keyservers. Key ID 7A35090F, as posted in a2e7j6ic78h0j. Patience is a virtue. Good luck. 3301 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJPBRz7AAoJEBgfAeV6NQkP1UIQALFcO8DyZkecTK5pAIcGez7k ewjGBoCfjfO2NlRROuQm5CteXiH3Te5G+5ebsdRmGWVcah8QzN4UjxpKcTQRPB9e /ehVI5BiBJq8GlOnaSRZpzsYobwKH6Jy6haAr3kPFK1lOXXyHSiNnQbydGw9BFRI fSr//DY86BUILE8sGJR6FA8Vzjiifcv6mmXkk3ICrT8z0qY7m/wFOYjgiSohvYpg x5biG6TBwxfmXQOaITdO5rO8+4mtLnP//qN7E9zjTYj4Z4gBhdf6hPSuOqjh1s+6 /C6IehRChpx8gwpdhIlNf1coz/ZiggPiqdj75Tyqg88lEr66fVVB2d7PGObSyYSp HJl8llrt8Gnk1UaZUS6/eCjnBniV/BLfZPVD2VFKH2Vvvty8sL+S8hCxsuLCjydh skpshcjMVV9xPIEYzwSEaqBq0ZMdNFEPxJzC0XISlWSfxROm85r3NYvbrx9lwVbP mUpLKFn8ZcMbf7UX18frgOtujmqqUvDQ2dQhmCUywPdtsKHFLc1xIqdrnRWUS3CD eejUzGYDB5lSflujTjLPgGvtlCBW5ap00cfIHUZPOzmJWoEzgFgdNc9iIkcUUlke e2WbYwCCuwSlLsdQRMA//PJN+a1h2ZMSzzMbZsr/YXQDUWvEaYI8MckmXEkZmDoA RL0xkbHEFVGBmoMPVzeC =fRcg -----END PGP SIGNATURE----- This message is 100% verified, so if you don't get a good verification for this signature, then something isn't set up right. If you'd like, at this point you can use Kleopatra to set up your own PGP certificate and to generate your own PGP signatures. Go to File>New Certificate and follow the wizard. I recommend you make a unique email and PGP key for this puzzle, to keep your personal identity secure. Do not use your personal email for this certificate! ~Mothwing